[Freeipa-users] Sudo configuration question
Stephen Gallagher
sgallagh at redhat.com
Wed Dec 21 18:14:58 UTC 2011
On Wed, 2011-12-21 at 09:08 -0900, Erinn Looney-Triggs wrote:
> On 12/21/2011 04:37 AM, Stephen Gallagher wrote:
> > On Tue, 2011-12-20 at 12:59 -0900, Erinn Looney-Triggs wrote:
> > > I have been working through configuring sudo via IPA and ran into the
> > > following situation.
> > >
> > > There is a directive in the documentation to configure
> > > /etc/sssd/sssd.conf on the clients with something like the following:
> > >
> > > ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
> > >
> > >
> > > This is pulled from the docse here for reference:
> > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html
> > >
> > > This is fine and causes no problems, however, when I mistakenly left it
> > > out on a few systems, sudo continued to function, so I am wondering what
> > > it is that this directive does? Does this get sssd into the loop to
> > > cache sudo rules for offline use?
> > >
> > > Any ideas?
> > Sorry for the confusion in the other responses to this thread. The short
> > answer is this: SUDO can use LDAP rules (as you clearly know). It does
> > this with its own internal LDAP lookup (it doesn't currently go through
> > SSSD to accomplish this).
> >
> > However, SUDO rules can specify netgroups as part of their restrictions
> > on who can do what (usually these are used to limit functions to certain
> > hosts). In order to do this, SSSD needs to be configured to look up
> > netgroups properly so that SUDO can use the 'getnetgrent()' glibc
> > command to locate the netgroups.
> >
> > The doc you are looking at is actually a bit out of date. It's no longer
> > necessary to provide that option, because if it's unspecified, we set it
> > automatically to cn=ng,cn=compat,dc=example,dc=com (using the
> > appropriate base, of course).
> >
> > Jan's comments about upstream work were that we recently made changes to
> > avoid needing to use the compat tree for netgroup lookups and can
> > instead use FreeIPA's native, custom schema for netgroups. That's not
> > terribly relevant to you, but it's a useful piece of information.
> >
> > So, in short, you don't need to set it, the doc is outdated.
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Ok thanks, that makes sense. One final question here, is there a way
> to verify that sssd is in fact setting this properly? Not that I doubt
> you of course, it is just a matter of so many versions of sssd in so
> many places that it would be good to verify that it works
> automagically on RHEL 5, 6, and whatever else, say Ubuntu etc.
>
> -Erinn
>
You can set 'debug_level = 6' in [domain/<DOMAINNAME>] of sssd.conf and
restart. If you look in the sssd_<DOMAINNAME>.log, you should see a line
setting the ldap_netgroup_search_base option.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111221/374e0f77/attachment.sig>
More information about the Freeipa-users
mailing list